{"id":8819,"date":"2025-07-24T02:43:33","date_gmt":"2025-07-24T02:43:33","guid":{"rendered":"http:\/\/localhost\/?p=8819"},"modified":"2025-07-24T02:43:33","modified_gmt":"2025-07-24T02:43:33","slug":"fastapi-guard-patch-contains-bypassable-regex","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=8819","title":{"rendered":"fastapi-guard patch contains bypassable RegEx"},"content":{"rendered":"
\n

CVE Details<\/h2>\n
\n
\n

Basic Information<\/h3>\n\n\n\n\n\n
Title<\/th>\nfastapi-guard patch contains bypassable RegEx<\/td>\n<\/tr>\n
Type<\/th>\ncve<\/td>\n<\/tr>\n
Published<\/th>\n2025-07-23T22:11:36.441Z<\/td>\n<\/tr>\n
Modified<\/th>\n2025-07-23T22:11:36.441Z<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
\n

Product Information<\/h3>\n\n\n\n\n
Vendor<\/th>\nrennf93<\/td>\n<\/tr>\n
Product<\/th>\nfastapi-guard<\/td>\n<\/tr>\n
Version<\/th>\n>= 3.0.1, < 3.0.2<\/td>\n<\/tr>\n<\/table>\n<\/div>\n<\/div>\n
\n

CVSS Information<\/h3>\n\n\n\n
Base Score<\/th>\n7.8 (HIGH)<\/td>\n<\/tr>\n
Attack Vector<\/th>\nCVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:N\/UI:N\/VC:N\/VI:L\/VA:H\/SC:N\/SI:N\/SA:N\/E:P<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
\n

AI Analysis<\/h3>\n\n\n\n\n\n\n
AI Description<\/th>\nA vulnerability in fastapi-guard version 3.0.1 allows bypassing of regex patterns due to ineffective string length limits, which could lead to security breaches. This issue was fixed in version 3.0.2.<\/td>\n<\/tr>\n
AI Severity<\/th>\nHigh<\/td>\n<\/tr>\n
AI Vendor<\/th>\nrennf93<\/td>\n<\/tr>\n
AI Product<\/th>\nfastapi-guard<\/td>\n<\/tr>\n
AI Version<\/th>\n3.0.1<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
\n

Affected Products<\/h4>\n
    \n
  • rennf93 fastapi-guard >= 3.0.1, < 3.0.2<\/li>\n<\/ul>\n<\/div>\n
    \n

    Additional Information<\/h3>\n\n\n\n
    CWE List<\/th>\nCWE-20, CWE-185<\/td>\n<\/tr>\n
    Source<\/th>\nGitHub_M<\/td>\n<\/tr>\n<\/table>\n<\/div>\n
    \n

    Description<\/h3>\n
    fastapi-guard is a security library for FastAPI that provides middleware to control IPs, log requests, detect penetration attempts and more. In version 3.0.1, the regular expression patched to mitigate the ReDoS vulnerability by limiting the length of string fails to catch inputs that exceed this limit. This type of patch fails to detect cases in which the string representing the attributes of a